feat(nixos): add org-agenda-api hosting with nginx + Let's Encrypt

Add NixOS module to host org-agenda-api container on railbird-sf:
- org-agenda-api-host.nix: New module with nginx reverse proxy and ACME
- nginx configured for rbsf.tplinkdns.com with automatic TLS
- Container runs on port 51847 (random high port)
- Supports nix-built container images via imageFile option

Configure railbird-sf to use the new module:
- Build org-agenda-api container from flake
- Pass container to machine config via specialArgs
- Set up agenix secret for container environment

Note: Requires creating secrets file with AUTH_PASSWORD and
GIT_SSH_PRIVATE_KEY environment variables.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

nixos/machines/railbird-sf.nix

@@ -1,11 +1,26 @@
-{ config, lib, pkgs, forEachUser, ... }:
+{ config, lib, pkgs, forEachUser, inputs, orgAgendaApiContainer ? null, ... }:
 {
   imports = [
     ../configuration.nix
+    inputs.agenix.nixosModules.default
   ];
 
   networking.hostName = "railbird-sf";
 
+  # org-agenda-api hosting with nginx + Let's Encrypt
+  age.secrets.org-api-env = {
+    file = ../secrets/org-api-passwords.age;
+    # Readable by the podman container service
+  };
+
+  services.org-agenda-api-host = {
+    enable = true;
+    domain = "rbsf.tplinkdns.com";
+    containerImage = "colonelpanic-org-agenda-api";
+    containerImageFile = orgAgendaApiContainer;
+    secretsFile = config.age.secrets.org-api-env.path;
+  };
+
   hardware.enableRedistributableFirmware = true;
   boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];